Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge pull request #15683 from larrylv/fix-token-with-empty-value

Fix parsed token value with header `Authorization token=`.
  • Loading branch information...
commit b71d46a81a5798ea4e5ba0f7d41e07f573e6e615 2 parents 1c41d3b + fdb1059
@matthewd matthewd authored
View
7 actionpack/CHANGELOG.md
@@ -1,3 +1,10 @@
+* With authorization header `Authorization: Token token=`, `authenticate` now
+ recognize token as nil, instead of "token".
+
+ Fixes #14846.
+
+ *Larry Lv*
+
* Ensure the controller is always notified as soon as the client disconnects
during live streaming, even when the controller is blocked on a write.
View
4 actionpack/lib/action_controller/metal/http_authentication.rb
@@ -449,7 +449,7 @@ def token_and_options(request)
authorization_request = request.authorization.to_s
if authorization_request[TOKEN_REGEX]
params = token_params_from authorization_request
- [params.shift.last, Hash[params].with_indifferent_access]
+ [params.shift[1], Hash[params].with_indifferent_access]
end
end
@@ -464,7 +464,7 @@ def params_array_from(raw_params)
# This removes the `"` characters wrapping the value.
def rewrite_param_values(array_params)
- array_params.each { |param| param.last.gsub! %r/^"|"$/, '' }
+ array_params.each { |param| (param[1] || "").gsub! %r/^"|"$/, '' }
end
# This method takes an authorization body and splits up the key-value
View
29 actionpack/test/controller/http_token_authentication_test.rb
@@ -132,13 +132,30 @@ def authenticate_long_credentials
assert_equal(expected, actual)
end
- private
-
- def sample_request(token)
- @sample_request ||= OpenStruct.new authorization: %{Token token="#{token}"}
+ test "token_and_options returns empty string with empty token" do
+ token = ''
+ actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
+ expected = token
+ assert_equal(expected, actual)
end
- def encode_credentials(token, options = {})
- ActionController::HttpAuthentication::Token.encode_credentials(token, options)
+ test "token_and_options returns nil with no value after the equal sign" do
+ actual = ActionController::HttpAuthentication::Token.token_and_options(malformed_request).first
+ expected = nil
+ assert_equal(expected, actual)
end
+
+ private
+
+ def sample_request(token)
+ @sample_request ||= OpenStruct.new authorization: %{Token token="#{token}", nonce="def"}
+ end
+
+ def malformed_request
+ @malformed_request ||= OpenStruct.new authorization: %{Token token=}
+ end
+
+ def encode_credentials(token, options = {})
+ ActionController::HttpAuthentication::Token.encode_credentials(token, options)
+ end
end
Please sign in to comment.
Something went wrong with that request. Please try again.